The Top 25 Critical Vulnerabilities are Being Exploited by the Chinese: NSA -- Patch Them Now

This report shows how nation state actors are using the same flaws everybody else is abusing to compromise networks. The list is led by flaws in perimeter security devices. These flaws have been heavily abused by ransomware gangs, crypto coin miners and essentially anybody interested in breaching a corporate network. A good reminder to review your vulnerability scans. If you find any of these 25 flaws included, assume that it has already been exploited. Even if you are not the target of Chinese nation state attackers.

Johannes Ullrich

While it is interesting to note that the list includes vulnerabilities from 2015 and 2018, dont look to the specific vulnerabilities exploited, look to the general cyber hygiene recommendations. Regularly patch and verify the security of products, replace old or obsolete products, use internal trusted or isolated management networks, block deprecated services at the perimeter, enabling logging, alerting and monitoring. Remember to validate systems for signs of compromise during the interval prior to update, and address any issues discovered.

Lee Neely

Excellent resource.

Brian Honan

This issue of NewsBites is chock-full of high criticality patches; this Oracle mega-patch is one of many on the server or appliance side of things. IT ops groups may be consumed by supporting large-scale Work From Home, with critical Exchange, VPN server and other actively exploited vulnerabilities staying unpatched and often unmitigated even longer than in past years. The item detailing the NSA warning is a good one to use to convince CIOs and upper management that providing sufficient change-window time right now needs to be a high priority.

John Pescatore

These updates are spread across 27 products. The larger update interval Oracle uses provides for application of updates to business applications and services with less interruption and more regression testing. There are hopes that Oracle continues to grow, more frequent updates to commodity products will become available to reduce the number of updates released at each interval.

Lee Neely

Expect another 400 or so next quarter. A quarterly schedule is more efficient for the maintainer but means that the vulnerabilities have a longer life, some longer than three months. 400 suggests a large reservoir of both known and unknown vulnerabilities.

William Hugh Murray

The urgency is being driven by the active exploitation of the vulnerability. You should already be pushing this update out to your Mac, Windows and Linux systems. An update was also just released for ChromeOS and Android platforms (86.0.4240.112 and 86.0.4240.114 respectively) which systems will be receiving through the regular update process over the next several days. If you are using the non-browser embedded FreeType, push updates for that as well.

Lee Neely

Browsers are notoriously porous because they are feature-rich and easily extensible. They should be routinely maintained and isolated from mission critical applications.

William Hugh Murray

While there is no current evidence of active exploitation, the DOS conditions, if enacted, require a device reboot to clear, making updating now a more attractive option.

Lee Neely

While WordPress has forced the update, deemed one of the most severe flaws in recent history by their security team, it's still prudent to validate that your WordPress installation has been updated. The issue is in the brute force login protection, which is enabled by default, that stores bad login username in the database. A malformed login, which includes SQL statements, is then stored in the database without sanitization, which allows for those statements to be executed without authentication.

Lee Neely

These updates affect both the Windows and macOS products. Users with the Creative Cloud desktop app will be automatically updated; even so, verify the updated versions are deployed.

Lee Neely

Out-of-schedule fixes suggest urgency and are often to vulnerabilities that are being actively exploited. Even though such fixes are expensive to the user, they deserve special attention.

William Hugh Murray

Be sure that your copyright notice is included in the content so protected.

William Hugh Murray

Kudos to all involved in these takedowns. We regularly hear that criminals are becoming more efficient and effective due to various groups working together. It is great to see those on the side of good working together to make life more difficult for criminals.

Brian Honan

This creates a common language and terminology for discussion and publishing issues, which should help making assessment and risk acceptance decisions more consistent. Even so, the pure score has to be weighted with environmental factors relating to the ability of vulnerabilities to be exploited. When using those factors, regular validation is necessary to ensure they haven't been circumvented or bypassed.

Lee Neely

Note that vendors *can* use this tool/approach, but the FDA is *not* requiring them to do so. I've been a big fan of the CVSS standard since V1 came out in 2005 or so. That same year, the FDA issued Guidance for Industry 1553 to the medical device industry, which removed barriers to medical equipment vendors rapidly issuing patches for vulnerabilities in their products because of FDA certification issues. In 2020, we are on V3 of the CVSS standard (which vendors originally fought) and CVSS has proven to be very useful but the medical device industry is pretty much where it was 15 years ago vulnerability-wise. We really need to see the FDA force progress in making medical devices safer just removing barriers has not been enough.

John Pescatore

The attack surface of a medical device should be as limited as its application and environment permit. If it includes an operating system, it is already too big.

William Hugh Murray